Walkthrough — HTB Linux machine “Monteverde”

Quick enumeration of the machine with nmap revealed the following information:

Many open ports were identified. As there is no useful HTTP server, I looked toward enum4linux after I found no useful information from DNS:

I created a list of users from this information, and was able to find a user using the username as the password via crackmapexec:

Excellent. Let’s take a look and see if we have any shares available:

Through the process of elimination, I found access to the users$ share:

We have access to one file — azure.xml, in the mhope directory:

I copied across the file and took a look at the contents:

I attempted to log in using Evil-WinRM as mhope(the user directory where the file was found) with the newly discovered password 4n0therD4y@n0th3r$ :

A quick look at what this user account is able to do:

I uploaded the PowerShell script from here (https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Azure-ADConnect.ps1) and ran it, revealing further credentials to the system:

I then reconnected using Evil-WinRM with the newly-discovered administrator user and d0m@in4dminyeah! password: